Guest Steve Posted July 7, 2008 Posted July 7, 2008 All, I could really use some help with this EFS/DRA stuff. One thing at a time I suppose. I have successfully published a DRA via Group Policy (Win2k3/AD). I created an encrypted file on an XP2 machine. When I click details of the encrypted file, I can see the DRA. Associated with the user is a Cert Thumbprint. I am logged onto a DC with the DRA user and when I open the Certificates snap-in for mmc, the under Personal --> Certificates, the cert is there (with the same Thumbprint). Likewise the same cert is listed under Active Directory User Object --> Certificates. However when I try to access the files on the XP machine from the DC (file share) it says access is denied. I am trying to test the data recovery agent before implementing EFS on my network. Did I miss a step? Possibly related or unrelated, I am also havinga problem with DC issued certs vs. self-signed certs. I was testing with QA and found that I needed to add his self-signed cert to the encrypted file so that he could view it. He has been autoenrolled for a efs cert (duplicate of Basic EFS) but it doesn't appear to be working. What did I miss here? Also, I have noticed that many users have been autoenrolled for the efs cert multiple times (viewing the Certification Authority --> Issued Certificates). Any and all help would be greatly appreciated. -- Steve Quote
Guest Brian Komar \(MVP\) Posted July 7, 2008 Posted July 7, 2008 some initial answers inline... "Steve" <Steve@discussions.microsoft.com> wrote in message news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...<span style="color:blue"> > All, > > I could really use some help with this EFS/DRA stuff. One thing at a time > I > suppose. > > I have successfully published a DRA via Group Policy (Win2k3/AD). I > created > an encrypted file on an XP2 machine. When I click details of the encrypted > file, I can see the DRA. Associated with the user is a Cert Thumbprint.</span> This is good news <G> <span style="color:blue"> > > I am logged onto a DC with the DRA user and when I open the Certificates > snap-in for mmc, the under Personal --> Certificates, the cert is there > (with > the same Thumbprint). Likewise the same cert is listed under Active > Directory > User Object --> Certificates.</span> Does it state that you have the private key associated with the certificate? If yes, then export it now!! Do not pass go, do not wait for anything. This is the only copy of the certificate and private key\ <span style="color:blue"> > However when I try to access the files on the > XP machine from the DC (file share) it says access is denied. I am trying > to > test the data recovery agent before implementing EFS on my network. Did I > miss a step?</span> To use the key as the DRA, you must log on locally at the computer. You are connecting over the network. You are connecting over the network. You are creating a profile on the remote machine, generating a new EFS certificate, and attempting to open it with that certificate. The encryption/decryption is all remote. It is not a transfer of the encrypted file to your machine. It is a remote decryption and transfer of the file in the clear. <span style="color:blue"> > > Possibly related or unrelated, I am also havinga problem with DC issued > certs vs. self-signed certs. I was testing with QA and found that I needed > to > add his self-signed cert to the encrypted file so that he could view it. > He > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it > doesn't > appear to be working. What did I miss here? Also, I have noticed that many > users have been autoenrolled for the efs cert multiple times (viewing the > Certification Authority --> Issued Certificates).</span> There is a KB article (sorry no time to search for it now) that prevents the creation of self-signed certificates. In addition, you want to enable Credential Roamining Services or Roaming profiles to prevent the re-issuance of EFS certificates.<span style="color:blue"> > > Any and all help would be greatly appreciated. > -- Steve </span> Quote
Guest Steve Posted July 7, 2008 Posted July 7, 2008 Thanks for the response. I exported the private key, assigned it a password and saved it. Now it says there is a private key that corresponds to the certificate. You say that if it does, export it. Didn't I just do that? Or should I do it again? Thanks alot for your help. -- Steve "Brian Komar (MVP)" wrote: <span style="color:blue"> > some initial answers inline... > > "Steve" <Steve@discussions.microsoft.com> wrote in message > news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...<span style="color:green"> > > All, > > > > I could really use some help with this EFS/DRA stuff. One thing at a time > > I > > suppose. > > > > I have successfully published a DRA via Group Policy (Win2k3/AD). I > > created > > an encrypted file on an XP2 machine. When I click details of the encrypted > > file, I can see the DRA. Associated with the user is a Cert Thumbprint.</span> > This is good news <G> > <span style="color:green"> > > > > I am logged onto a DC with the DRA user and when I open the Certificates > > snap-in for mmc, the under Personal --> Certificates, the cert is there > > (with > > the same Thumbprint). Likewise the same cert is listed under Active > > Directory > > User Object --> Certificates.</span> > > Does it state that you have the private key associated with the certificate? > If yes, then export it now!! Do not pass go, do not wait for anything. > This is the only copy of the certificate and private key > > <span style="color:green"> > > However when I try to access the files on the > > XP machine from the DC (file share) it says access is denied. I am trying > > to > > test the data recovery agent before implementing EFS on my network. Did I > > miss a step?</span> > > To use the key as the DRA, you must log on locally at the computer. You > are connecting over the network. You are connecting over the network. You > are creating a profile on the remote machine, generating a new EFS > certificate, and attempting to open it with that certificate. The > encryption/decryption is all remote. > It is not a transfer of the encrypted file to your machine. It is a remote > decryption and transfer of the file in the clear. > > <span style="color:green"> > > > > Possibly related or unrelated, I am also havinga problem with DC issued > > certs vs. self-signed certs. I was testing with QA and found that I needed > > to > > add his self-signed cert to the encrypted file so that he could view it. > > He > > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it > > doesn't > > appear to be working. What did I miss here? Also, I have noticed that many > > users have been autoenrolled for the efs cert multiple times (viewing the > > Certification Authority --> Issued Certificates).</span> > > > There is a KB article (sorry no time to search for it now) that prevents the > creation of self-signed certificates. In addition, you want to enable > Credential Roamining Services or Roaming profiles to prevent the re-issuance > of EFS certificates.<span style="color:green"> > > > > Any and all help would be greatly appreciated. > > -- Steve </span> > </span> Quote
Guest Brian Komar \(MVP\) Posted July 7, 2008 Posted July 7, 2008 Nope, you only have to do it once. I just wanted to make sure you had backed it up. Brian "Steve" <Steve@discussions.microsoft.com> wrote in message news:AC9BBFC3-1789-4335-BF9C-D731618EC594@microsoft.com...<span style="color:blue"> > Thanks for the response. > > I exported the private key, assigned it a password and saved it. Now it > says > there is a private key that corresponds to the certificate. You say that > if > it does, export it. Didn't I just do that? Or should I do it again? > > Thanks alot for your help. > -- Steve > > "Brian Komar (MVP)" wrote: ><span style="color:green"> >> some initial answers inline... >> >> "Steve" <Steve@discussions.microsoft.com> wrote in message >> news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...<span style="color:darkred"> >> > All, >> > >> > I could really use some help with this EFS/DRA stuff. One thing at a >> > time >> > I >> > suppose. >> > >> > I have successfully published a DRA via Group Policy (Win2k3/AD). I >> > created >> > an encrypted file on an XP2 machine. When I click details of the >> > encrypted >> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.</span> >> This is good news <G> >><span style="color:darkred"> >> > >> > I am logged onto a DC with the DRA user and when I open the >> > Certificates >> > snap-in for mmc, the under Personal --> Certificates, the cert is there >> > (with >> > the same Thumbprint). Likewise the same cert is listed under Active >> > Directory >> > User Object --> Certificates.</span> >> >> Does it state that you have the private key associated with the >> certificate? >> If yes, then export it now!! Do not pass go, do not wait for anything. >> This is the only copy of the certificate and private key >> >><span style="color:darkred"> >> > However when I try to access the files on the >> > XP machine from the DC (file share) it says access is denied. I am >> > trying >> > to >> > test the data recovery agent before implementing EFS on my network. Did >> > I >> > miss a step?</span> >> >> To use the key as the DRA, you must log on locally at the computer. You >> are connecting over the network. You are connecting over the network. You >> are creating a profile on the remote machine, generating a new EFS >> certificate, and attempting to open it with that certificate. The >> encryption/decryption is all remote. >> It is not a transfer of the encrypted file to your machine. It is a >> remote >> decryption and transfer of the file in the clear. >> >><span style="color:darkred"> >> > >> > Possibly related or unrelated, I am also havinga problem with DC >> > issued >> > certs vs. self-signed certs. I was testing with QA and found that I >> > needed >> > to >> > add his self-signed cert to the encrypted file so that he could view >> > it. >> > He >> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it >> > doesn't >> > appear to be working. What did I miss here? Also, I have noticed that >> > many >> > users have been autoenrolled for the efs cert multiple times (viewing >> > the >> > Certification Authority --> Issued Certificates).</span> >> >> >> There is a KB article (sorry no time to search for it now) that prevents >> the >> creation of self-signed certificates. In addition, you want to enable >> Credential Roamining Services or Roaming profiles to prevent the >> re-issuance >> of EFS certificates.<span style="color:darkred"> >> > >> > Any and all help would be greatly appreciated. >> > -- Steve</span> >> </span></span> Quote
Guest Steve Posted July 10, 2008 Posted July 10, 2008 So either I'm missing something, or I completely misunderstand EFS. I have turned off the self-signed certificates on a few XP machines (using the hotfix from MS and the Group Policy Option to not allow a user to create self-signed certs). Since then, when I create an EFS file on my XP machine, it uses a cert from my CA....Good. But when I try to add another user to the file, he is unable to open it. (In fact since installing the hotfix and adding the GP option, he can't even create a new file on the encrypted share). I have NOT done anything with credential roaming yet. Is that my problem? Bottom line, I want to encrypt a file on my machine (XP), add a user with the ability to decrypt it, and allow them to open it on their machine. Is this not possible? Thanks, -- Steve "Brian Komar (MVP)" wrote: <span style="color:blue"> > Nope, you only have to do it once. > I just wanted to make sure you had backed it up. > Brian > > "Steve" <Steve@discussions.microsoft.com> wrote in message > news:AC9BBFC3-1789-4335-BF9C-D731618EC594@microsoft.com...<span style="color:green"> > > Thanks for the response. > > > > I exported the private key, assigned it a password and saved it. Now it > > says > > there is a private key that corresponds to the certificate. You say that > > if > > it does, export it. Didn't I just do that? Or should I do it again? > > > > Thanks alot for your help. > > -- Steve > > > > "Brian Komar (MVP)" wrote: > ><span style="color:darkred"> > >> some initial answers inline... > >> > >> "Steve" <Steve@discussions.microsoft.com> wrote in message > >> news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com... > >> > All, > >> > > >> > I could really use some help with this EFS/DRA stuff. One thing at a > >> > time > >> > I > >> > suppose. > >> > > >> > I have successfully published a DRA via Group Policy (Win2k3/AD). I > >> > created > >> > an encrypted file on an XP2 machine. When I click details of the > >> > encrypted > >> > file, I can see the DRA. Associated with the user is a Cert Thumbprint. > >> This is good news <G> > >> > >> > > >> > I am logged onto a DC with the DRA user and when I open the > >> > Certificates > >> > snap-in for mmc, the under Personal --> Certificates, the cert is there > >> > (with > >> > the same Thumbprint). Likewise the same cert is listed under Active > >> > Directory > >> > User Object --> Certificates. > >> > >> Does it state that you have the private key associated with the > >> certificate? > >> If yes, then export it now!! Do not pass go, do not wait for anything. > >> This is the only copy of the certificate and private key > >> > >> > >> > However when I try to access the files on the > >> > XP machine from the DC (file share) it says access is denied. I am > >> > trying > >> > to > >> > test the data recovery agent before implementing EFS on my network. Did > >> > I > >> > miss a step? > >> > >> To use the key as the DRA, you must log on locally at the computer. You > >> are connecting over the network. You are connecting over the network. You > >> are creating a profile on the remote machine, generating a new EFS > >> certificate, and attempting to open it with that certificate. The > >> encryption/decryption is all remote. > >> It is not a transfer of the encrypted file to your machine. It is a > >> remote > >> decryption and transfer of the file in the clear. > >> > >> > >> > > >> > Possibly related or unrelated, I am also havinga problem with DC > >> > issued > >> > certs vs. self-signed certs. I was testing with QA and found that I > >> > needed > >> > to > >> > add his self-signed cert to the encrypted file so that he could view > >> > it. > >> > He > >> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it > >> > doesn't > >> > appear to be working. What did I miss here? Also, I have noticed that > >> > many > >> > users have been autoenrolled for the efs cert multiple times (viewing > >> > the > >> > Certification Authority --> Issued Certificates). > >> > >> > >> There is a KB article (sorry no time to search for it now) that prevents > >> the > >> creation of self-signed certificates. In addition, you want to enable > >> Credential Roamining Services or Roaming profiles to prevent the > >> re-issuance > >> of EFS certificates. > >> > > >> > Any and all help would be greatly appreciated. > >> > -- Steve > >> </span></span> > </span> Quote
Guest Alun Jones Posted July 20, 2008 Posted July 20, 2008 "Steve" <Steve@discussions.microsoft.com> wrote in message news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...<span style="color:blue"> > So either I'm missing something, or I completely misunderstand EFS. > > I have turned off the self-signed certificates on a few XP machines (using > the hotfix from MS and the Group Policy Option to not allow a user to > create > self-signed certs). > > Since then, when I create an EFS file on my XP machine, it uses a cert > from > my CA....Good. But when I try to add another user to the file, he is > unable > to open it. (In fact since installing the hotfix and adding the GP option, > he > can't even create a new file on the encrypted share). I have NOT done > anything with credential roaming yet. Is that my problem? > > Bottom line, I want to encrypt a file on my machine (XP), add a user with > the ability to decrypt it, and allow them to open it on their machine. Is > this not possible?</span> It depends. To make things easier, let's say that the file is stored on a "server", and needs to be fetched by a user on a "client". The user's private key must be stored in his personal store on the server. If his key exists only on the client, he must export the certificate and key from the client, and import it onto the server. Because the key must be in his personal store, only the user can do this for himself. Crazy though it may sound, EFS across a network share decrypts at the server, rather than at the client - the file is transferred across the network in plain text. An alternative to having to export and import your private key on each server is to use a roaming profile, or credential roaming. Note that these two options are mutually exclusive per user. Alun. ~~~~ -- Texas Imperial Software | Web: http://www.wftpd.com/ 23921 57th Ave SE | Blog: http://msmvps.com/alunj/ Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer. Quote
Guest Steve Posted July 24, 2008 Posted July 24, 2008 I appreciate the assistance. I have read about Roaming Profiles and Credential Roaming but I am still confused as to which one I should implement. Can you offer any advice? Thanks, -- Steve "Alun Jones" wrote: <span style="color:blue"> > "Steve" <Steve@discussions.microsoft.com> wrote in message > news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...<span style="color:green"> > > So either I'm missing something, or I completely misunderstand EFS. > > > > I have turned off the self-signed certificates on a few XP machines (using > > the hotfix from MS and the Group Policy Option to not allow a user to > > create > > self-signed certs). > > > > Since then, when I create an EFS file on my XP machine, it uses a cert > > from > > my CA....Good. But when I try to add another user to the file, he is > > unable > > to open it. (In fact since installing the hotfix and adding the GP option, > > he > > can't even create a new file on the encrypted share). I have NOT done > > anything with credential roaming yet. Is that my problem? > > > > Bottom line, I want to encrypt a file on my machine (XP), add a user with > > the ability to decrypt it, and allow them to open it on their machine. Is > > this not possible?</span> > > It depends. > > To make things easier, let's say that the file is stored on a "server", and > needs to be fetched by a user on a "client". > > The user's private key must be stored in his personal store on the server. > If his key exists only on the client, he must export the certificate and key > from the client, and import it onto the server. Because the key must be in > his personal store, only the user can do this for himself. > > Crazy though it may sound, EFS across a network share decrypts at the > server, rather than at the client - the file is transferred across the > network in plain text. > > An alternative to having to export and import your private key on each > server is to use a roaming profile, or credential roaming. Note that these > two options are mutually exclusive per user. > > Alun. > ~~~~ > -- > Texas Imperial Software | Web: http://www.wftpd.com/ > 23921 57th Ave SE | Blog: http://msmvps.com/alunj/ > Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. > Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer. > > </span> Quote
Guest Brian Komar \(MVP\) Posted July 25, 2008 Posted July 25, 2008 If all you want to roam is credential information, then Credential Roaming is definitely the way to go. If you want to roam files as well (profile, desktop, My Documents), then you would be better to go with Roaming Profiles. Both can be used, but as referenced in the Deploying CRS whitepaper, you need to set up exceptions to prevent the roaming of the credential information in roaming profiles. If you do not have roaming profiles, and you want to roam EFS credentials, I would lean towards CRS, rather than roaming profiles. Brian "Steve" <Steve@discussions.microsoft.com> wrote in message news:E15464CC-7DD4-4C68-BB87-75D6A098B9D5@microsoft.com...<span style="color:blue"> >I appreciate the assistance. > > I have read about Roaming Profiles and Credential Roaming but I am still > confused as to which one I should implement. Can you offer any advice? > > Thanks, > -- Steve > > "Alun Jones" wrote: ><span style="color:green"> >> "Steve" <Steve@discussions.microsoft.com> wrote in message >> news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...<span style="color:darkred"> >> > So either I'm missing something, or I completely misunderstand EFS. >> > >> > I have turned off the self-signed certificates on a few XP machines >> > (using >> > the hotfix from MS and the Group Policy Option to not allow a user to >> > create >> > self-signed certs). >> > >> > Since then, when I create an EFS file on my XP machine, it uses a cert >> > from >> > my CA....Good. But when I try to add another user to the file, he is >> > unable >> > to open it. (In fact since installing the hotfix and adding the GP >> > option, >> > he >> > can't even create a new file on the encrypted share). I have NOT done >> > anything with credential roaming yet. Is that my problem? >> > >> > Bottom line, I want to encrypt a file on my machine (XP), add a user >> > with >> > the ability to decrypt it, and allow them to open it on their machine. >> > Is >> > this not possible?</span> >> >> It depends. >> >> To make things easier, let's say that the file is stored on a "server", >> and >> needs to be fetched by a user on a "client". >> >> The user's private key must be stored in his personal store on the >> server. >> If his key exists only on the client, he must export the certificate and >> key >> from the client, and import it onto the server. Because the key must be >> in >> his personal store, only the user can do this for himself. >> >> Crazy though it may sound, EFS across a network share decrypts at the >> server, rather than at the client - the file is transferred across the >> network in plain text. >> >> An alternative to having to export and import your private key on each >> server is to use a roaming profile, or credential roaming. Note that >> these >> two options are mutually exclusive per user. >> >> Alun. >> ~~~~ >> -- >> Texas Imperial Software | Web: http://www.wftpd.com/ >> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/ >> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. >> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer. >> >> </span></span> Quote
Guest Steve Posted August 1, 2008 Posted August 1, 2008 The onoing battle continues... In AD U/C I am able to see certificates in the "Published Certificates" Tab. However when I add this certificate to an EFS File on a 2K3 Server, I receive "Access is Denied". If I add a self-signed certificate, (which I have disabled according to the MS KB Article) I am able to view the file. Where am I going wrong? Thanks, -- Steve "Brian Komar (MVP)" wrote: <span style="color:blue"> > If all you want to roam is credential information, then Credential Roaming > is definitely the way to go. > If you want to roam files as well (profile, desktop, My Documents), then you > would be better to go with Roaming Profiles. > Both can be used, but as referenced in the Deploying CRS whitepaper, you > need to set up exceptions to prevent the roaming of the credential > information in roaming profiles. > If you do not have roaming profiles, and you want to roam EFS credentials, I > would lean towards CRS, rather than roaming profiles. > Brian > > "Steve" <Steve@discussions.microsoft.com> wrote in message > news:E15464CC-7DD4-4C68-BB87-75D6A098B9D5@microsoft.com...<span style="color:green"> > >I appreciate the assistance. > > > > I have read about Roaming Profiles and Credential Roaming but I am still > > confused as to which one I should implement. Can you offer any advice? > > > > Thanks, > > -- Steve > > > > "Alun Jones" wrote: > ><span style="color:darkred"> > >> "Steve" <Steve@discussions.microsoft.com> wrote in message > >> news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com... > >> > So either I'm missing something, or I completely misunderstand EFS. > >> > > >> > I have turned off the self-signed certificates on a few XP machines > >> > (using > >> > the hotfix from MS and the Group Policy Option to not allow a user to > >> > create > >> > self-signed certs). > >> > > >> > Since then, when I create an EFS file on my XP machine, it uses a cert > >> > from > >> > my CA....Good. But when I try to add another user to the file, he is > >> > unable > >> > to open it. (In fact since installing the hotfix and adding the GP > >> > option, > >> > he > >> > can't even create a new file on the encrypted share). I have NOT done > >> > anything with credential roaming yet. Is that my problem? > >> > > >> > Bottom line, I want to encrypt a file on my machine (XP), add a user > >> > with > >> > the ability to decrypt it, and allow them to open it on their machine. > >> > Is > >> > this not possible? > >> > >> It depends. > >> > >> To make things easier, let's say that the file is stored on a "server", > >> and > >> needs to be fetched by a user on a "client". > >> > >> The user's private key must be stored in his personal store on the > >> server. > >> If his key exists only on the client, he must export the certificate and > >> key > >> from the client, and import it onto the server. Because the key must be > >> in > >> his personal store, only the user can do this for himself. > >> > >> Crazy though it may sound, EFS across a network share decrypts at the > >> server, rather than at the client - the file is transferred across the > >> network in plain text. > >> > >> An alternative to having to export and import your private key on each > >> server is to use a roaming profile, or credential roaming. Note that > >> these > >> two options are mutually exclusive per user. > >> > >> Alun. > >> ~~~~ > >> -- > >> Texas Imperial Software | Web: http://www.wftpd.com/ > >> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/ > >> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. > >> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer. > >> > >> </span></span> > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.